{ "id": "66c1d587-07be-4e65-bab2-f2d40be810fa", "created_at": "2026-04-06T00:11:27.493722Z", "updated_at": "2026-04-10T03:36:36.791963Z", "deleted_at": null, "sha1_hash": "bd1f9d0cb13681bb9142bb5cf94279e626c5c868", "title": "TA505: A Brief History Of Their Time", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1461441, "plain_text": "TA505: A Brief History Of Their Time\r\nBy Antonis Terefos\r\nPublished: 2020-11-16 · Archived: 2026-04-05 14:05:12 UTC\r\nThreat Intel Analyst: Antonis Terefos (@Tera0017)\r\nData Scientist: Anne Postma (@A_Postma)\r\n1. Introduction\r\nTA505 is a sophisticated and innovative threat actor, with plenty of cybercrime experience, that engages in\r\ntargeted attacks across multiple sectors and geographies for financial gain. Over time, TA505 evolved from a\r\nlesser partner to a mature, self-subsisting and versatile crime operation with a broad spectrum of targets.\r\nThroughout the years the group heavily relied on third party services and tooling to support its fraudulent\r\nactivities, however, the group now mostly operates independently from initial infection until monetization.\r\nThroughout 2019, TA505 changed tactics and adopted a proven simple, although effective, attack strategy: encrypt\r\na corporate network with ransomware, more specifically the Clop ransomware strain, and demand a ransom in\r\nBitcoin to obtain the decryption key. Targets are selected in an opportunistic fashion and TA505 currently operates\r\na broad attack arsenal of both in-house developed and publicly available tooling to exploit its victims. In the\r\nNetherlands, TA505 is notorious for their involvement on the Maastricht University incident in December 2019. \r\nTo obtain a foothold within targeted networks, TA505 heavily relies on two pieces of malware: Get2/GetandGo\r\nand SDBbot. Get2/GetandGo functions as a simple loader responsible for gathering system information, C\u0026C\r\nbeaconing and command execution. SDBbot is the main remote access tool, written in C++ and downloaded by\r\nGet2/GetandGo, composed of three components: an installer, a loader and the RAT.\r\nDuring the period March to June 2020, Fox-IT didn’t spot as many campaigns in which TA505 distributed their\r\nproven first stage malware. In early June 2020 however, TA505 continued to push their flavored GetandGo-SDBbot campaigns thereby slightly adjusting their chain of infection, now leveraging HTML redirects. In the\r\nmeantime – and in line with other targeted ransomware gangs – TA505 started to operate a data leak platform\r\ndubbed “CL0P^_- LEAKS” on which stolen corporate data of non-paying victims is publicly disclosed.\r\nThe research outlined in this blog is focused around obtained Get2/GetandGo and SDBbot samples. We unpacked\r\nthe captured samples and organized them within their related campaign. This resulted in providing us an accurate\r\nview on the working schedule of the TA505 group during the past year.\r\n2. Infection Chain and Tooling\r\nAs mentioned above, the Threat Actor uses private as well as public tooling to get access, infect the network and\r\ndrop Clop ransomware.\r\n2.1. Email – XLS – GetandGo\r\nhttps://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/\r\nPage 1 of 15\n\nFigure 1. Initial Infection\r\n1. The victim receives an HTML attachment. This file contains a link to a malicious website. Once the file is\r\nopened in a browser, it redirects to this compromised URL.\r\n2. This compromised URL redirects again to the XLS file download page, which is operated by the actor.\r\n3. From this URL the victim downloads the XLS file, frequently the language of the website can indicate the\r\ncountry targeted.\r\n4. Once the XLS is downloaded and triggered, GetandGo is executed, communicates with the C\u0026C and\r\ndownloads SDBbot.\r\n2.2. SDBbot Infection Process\r\nhttps://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/\r\nPage 2 of 15\n\nFigure 2. SDBbot infection process\r\n1. GetandGo executes the “ReflectiveLoader” export of SDBbot.\r\n2. SDBbot contains of three modules. The Installer, Loader, RAT module.\r\n3.Initially the Installer module is executed, creates a Registry BLOB containing the Loader code and the RAT\r\nmodule.\r\n4. The Loader module is dropped into disk and persistence is maintained via this module.\r\nhttps://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/\r\nPage 3 of 15\n\n5. The Loader module, reads the Registry Blob and loads the Loader code. This loader code is executed and Loads\r\nthe RAT module which is again executed in memory.\r\n6. The RAT module communicates with the C\u0026C and awaits commands from the administrator.\r\n2.3. TA505 Infection Chain\r\nhttps://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/\r\nPage 4 of 15\n\nhttps://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/\r\nPage 5 of 15\n\nFigure 3. TA505 Infection Chain\r\nOnce SDBbot has obtained persistence, the actor uses this RAT in order to grab information from the machine,\r\nprepare the environment and download the next payloads. At this stage, also the operator might kill the bot if it is\r\ndetermined that the victim is not interesting to them.\r\nFor further infection of victims and access of administrator accounts, FOX-IT has also observed Tinymet and\r\nCobalt Strike frequently being used.\r\n3. TA505 Packer\r\nTo evade antivirus security products and frustrate malware reverse engineering, malware operators leverage\r\nencryption and compression via executable packing to protect their malicious code. Malware packers are\r\nessentially software programs that either encrypt or compress the original malware binary, thus making it\r\nunreadable until it’s placed in memory.\r\nIn general, malware packers consist of two components:\r\n• A packed buffer, the actual malicious code\r\n• An “unpacking stub” responsible for unpacking and executing the packed buffer\r\nTA505 also works with a custom packer, however their packer contains two buffers. The initial stub decrypts the\r\nfirst buffer which acts as another unpacking stub. The second unpacking stub subsequently unpacks the second\r\nbuffer that contains the malicious executable. In addition to their custom packer, TA505 often packs their malware\r\nwith a second or even a third layer of UPX (a publicly available open-source executable packer).\r\nBelow we represent an overview of the TA505 packing routines seen by Fox-IT. In total we can differentiate four\r\ndifferent packing routines based on the packing layers and the number of observed samples.\r\nX64 X86\r\n1 UPX(TA505 Custom Packer(UPX(Malicious Binary))) 0% 0.5%\r\n2 UPX(TA505 Custom Packer(Malicious Binary)) 13.7% 0%\r\n3 TA505 Custom Packer(UPX(Malicious Binary)) 0% 98.64%\r\n4 TA505 Custom Packer(Malicious Binary) 86.3% 0.86%\r\nTA505 Packing Routines\r\nTo aid our research, a Fox-IT analyst wrote a program dubbed “TAFOF Unpacker” to statically unpack samples\r\npacked with the custom TA505 packer.\r\nWe observed that the TA505 packed samples had a different Compilation Timestamp than the unpacked samples,\r\nand they were correlating correctly with the Campaign Timestamp. Furthermore, samples belonging to the same\r\ncampaign used the same XOR-Key to unpack the actual malware.\r\n4. Data Research\r\nhttps://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/\r\nPage 6 of 15\n\nOver the course of approximately a year, Fox-IT was able to collect TA505 initial XLS samples. Each XLS file\r\ncontained two embedded DLLs: a x64 and a x86 version of the Get2/GetandGo loader.\r\nBoth DLLs are packed with the same packer. However, the XOR-key to decrypt the buffer is different. We have\r\n“named” the campaigns we identified based on the combination of those XOR-Keys: x86-XOR-Key:x64-XOR-Key\r\n(e.g. campaign 0X50F1:0X1218). All of the timestamps related to the captured samples were converted to UTC.\r\nFor hashes that existed on VirusTotal we used those timestamps as first seen; for the remainder, the Fox-IT\r\nMalware Lab was used.\r\nFind below an overview on the descriptive statistics of both datasets:\r\nFigure 4. Datasets Statistics\r\n4.1. Dataset 1, Working Hours and Workflow routine\r\nDuring this period, we collected all the XLS files matching our TA505-GetandGo Yara rule and we unpacked\r\nthem with TAFOF Unpacker. We observed that the compilation timestamps of the packed samples were different\r\nfrom the unpacked ones. Furthermore, the unpacked one was clearly indicating the malspam campaign date.\r\nFor the Dataset 1, we used the VirusTotal first seen timestamp as an estimation of when the campaign took place.\r\nIn the following graph we plotted all 81 campaigns (XOR-key combinations), and ordered them chronologically\r\nbased on the C\u0026C domain registration time.\r\nWhat we noticed was, that we see relatively short orange/yellow/light green patches: meaning that the domain was\r\nregistered shortly before they compiled the malware, and a few hours/days the first sample of this campaign was\r\nfound on VirusTotal.\r\nhttps://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/\r\nPage 7 of 15\n\nFigure 5. Dataset 1, Campaigns overview\r\nAs seen by the graph, it seems clear the workflow followed most of the times by the group: Registering the C\u0026C,\r\ncompiling the malware and shortly after, releasing the malspam campaign.\r\nAs seen on the 37% of the campaigns, the first seen sample and compilation timestamp are observed within 12\r\nhours, while 79% of the campaigns are discovered after 1 day of the compilation timestamp and 91.3% within 2\r\ndays.\r\nWe can also observe the long vacations taken during the Christmas/New Year period (20th December 2019 until\r\n13th of January 2020), another indication of Russian Cybercrime groups.\r\nFigure 6. Dataset 1, Compilation Timestamps UTC\r\nhttps://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/\r\nPage 8 of 15\n\nThe group mostly works on Mondays, Wednesdays and Thursdays, less frequently Tuesdays, Fridays and Sundays\r\n(mostly preparing for Monday campaign). As for the time, earliest is usually 6 AM UTC and latest 10 PM UTC.\r\nThose time schedules give us once again a small indication about the time zone where the actor is operating from.\r\n4.2. Dataset 2, Working Hours and Workflow routine\r\nFor the Dataset 2, we used as a source the first seen date of the InTELL Malware Lab. This dataset contains\r\nsamples obtained after their time off. In this research we combined SDBbot data as well, which is the next stage\r\npayload of Get2. Furthermore, for this second dataset we managed to collect TA505 malspam emails from actual\r\ntargets/victims indicating the country targeted from the email’s language.\r\nFigure 7. Dataset 2, Campaigns overview\r\nFrom the above graph we can clearly behold, that multiple GetandGo campaigns were downloading the “same\r\nSDBbot” (same C\u0026C). This information makes even more clear the actual use of the short lifespan of a GetandGo\r\nC\u0026C, which is to miss the link with the SDBbot C\u0026C (as happened for this research on the 24th of June). This\r\nallows the group for a longer lifespan of the SDBbot C\u0026C, avoiding being easily detected.\r\nhttps://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/\r\nPage 9 of 15\n\nFigure 8. Dataset 2, GetandGo Compilation Timestamps UTC\r\nThe working days are the same since they restarted after their long time off, although now we see a small\r\ndifference on the working hours, starting as early as 5 AM UTC until 11 PM UTC. This small 1 hour difference\r\nfrom the earliest working time might indicate that the group started “working from home” like the rest of the\r\nworld during these pandemic times. However as both periods are in respectively winter and summer time, it could\r\nalso be related to daylight savings time. This combined with the prior knowledge that the group is communicating\r\nin Russian language this points specifically to Ukraine being the only majority Russian speaking country with\r\nDST, but this would be speculation by itself.\r\nThe time information does point however to a likely Eastern European presence of the group, and not all members\r\nhave to be necessarily in one country.\r\nFigure 9. Dataset 2, GetandGo and SDBbot Compilation Timestamps UTC\r\nWhen we plotted also the SDBbot compilation timestamps we observed that GetandGo is more of a morning/day\r\nwork for the group as they need to target victims during their working schedule, but SDBbot is performed mostly\r\nduring the evening, as they don’t need to hurry as much in this case.\r\n5. Dransom Time\r\n“Dransom time, is the period from when a malicious attack enters the network until the ransomware is released.”\r\nOnce the initial access is achieved, the group is getting its hands on SDBbot and starts moving laterally in order to\r\nobtain root/admin access to the victim company/organization. This process can vary from target to target as well\r\nas the duration from initial access (GetandGo) to ransomware (Clop).\r\nFigure 10. Dransom Time 69 days\r\nhttps://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/\r\nPage 10 of 15\n\nFigure 11. Dransom Time 3 days\r\nFigure 12. Dransom Time 32 days\r\nThe differences on the Dransom time manifests that the group is capable of staying undetected for long periods of\r\ntime (more than 2 months), as well as getting root access as fast as their time allows (3 days).\r\n* There are definitely more extreme Dransom times accomplished by this group, but the above are some of the\r\nones we encountered and managed to obtain.\r\n6. Working Schedule\r\nWith the above data at hand, we were able to accurately estimate the work focus of the group at specific days and\r\ntimes during the past year.\r\nThe below week dates are some examples of this data, plotted in a weekly schedule (time in UTC).\r\n* Each color represents a different campaign.\r\n6.1. Week 42, 14-20 of October 2019\r\nhttps://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/\r\nPage 11 of 15\n\nFigure 13. TA505 Weekly Schedule, week 42 2019\r\nDuring this week, the group released six different campaigns targeting various geographical regions. We observe\r\nthe group preparing two Monday campaigns on Sunday. And as for Tuesday, they managed to achieve the initial\r\ninfection at Maastricht University.\r\nOn Wednesday, the group performed two campaigns targeting different regions, although this time they used the\r\nsame C\u0026C domain and the only difference was the URL path (f1610/f1611).\r\n6.2. Week 43, 21-27 of October 2019\r\nhttps://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/\r\nPage 12 of 15\n\nFigure 14. TA505 Weekly Schedule, week 43 2019\r\nThroughout week 43, the group performed three campaigns. First campaign was released on Monday and was\r\npartially prepared on Sunday.\r\nAs for Wednesday, the group prepared and released a campaign on the same day, which resulted on the initial\r\ninfection of Antwerp University. For the next three to four days, the group managed to get administrator access,\r\nand released Clop ransomware on Saturday of the same week.\r\n6.3. Week 51, 16-22 of December 2019\r\nhttps://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/\r\nPage 13 of 15\n\nFigure 15. TA505 Weekly Schedule, week 51 2019\r\nWeek 51 was the last week before their ~20 days “vacation” period where Fox-IT didn’t observe any new\r\ncampaigns. Last campaign of this week was observed on Thursday.\r\nDuring those days of “vacations”, the group was mainly off, although they were spotted activating Clop\r\nransomware at Maastricht University and encrypting their network after more than two months since the initial\r\naccess (week 42).\r\n6.4. Week 2, 6-12 of January 2020\r\nhttps://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/\r\nPage 14 of 15\n\nFigure 16. TA505 Weekly Schedule, week 2 2020\r\nWhile on week 2 the group didn’t release any campaigns, they were observed preparing the first campaign since\r\ntheir “vacations” on late Sunday, to be later released on Monday of the 3rd week.\r\n7. Conclusion\r\nThe extreme Dransom times demonstrate a highly sophisticated and capable threat actor, able to stay under the\r\nradar for long periods of time, as well as quickly achieving administrator access when possible. Their working\r\nschedule manifests a well-organized and well-structured group with high motivation, working in a criminal\r\nenterprise full days starting early and finishing late at night when needed. The hourly timing information does\r\nsuggest that the actors are in Eastern Europe and mostly working along a fairly set schedule, with a reasonable\r\npossibility that the group resides in Ukraine as the only majority Russian speaking country observing daylight\r\nsavings time. Since their MO switched after the introduction of Clop ransomware in early 2019, TA505 has been\r\nan important threat to all kind of organizations in various sectors across the world.\r\nSource: https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/\r\nhttps://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/" ], "report_names": [ "ta505-a-brief-history-of-their-time" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434287, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bd1f9d0cb13681bb9142bb5cf94279e626c5c868.pdf", "text": "https://archive.orkl.eu/bd1f9d0cb13681bb9142bb5cf94279e626c5c868.txt", "img": "https://archive.orkl.eu/bd1f9d0cb13681bb9142bb5cf94279e626c5c868.jpg" } }